I'd like to write an nftables rule that matches packet fields which are NOT found in a set:
ip not ip saddr @local_networks drop
Unfortunately this gives a syntax error: "unexpected !" Moving the 'not' to various other likely points in the statement makes no difference to error message. Is negation allowed?
In Debian 10 (nftables 0.9.0 + whatever Debian patches) this syntax works to drop packets with source IP address not in set local_networks:
ip saddr != @local_networks drop
I've examined the source code and discovered that although "!" and "not" are both syntax elements - they have lexer symbols defined for them, they are not used anywhere in the parser. I suppose I'll have to put in an enhancement request.